There's no need for a black market in XP patches going forward: a reasonably reliable source already exists at msfn.org, where people have been creating community-reviewed patches for Win98 and Win2K (perhaps others) - usually back-ported from MS's own patches for newer systems - for years and will doubtless be starting to do the same for XP now.

There's no need for a black market in XP patches going forward: a reasonably reliable source already exists at msfn.org, where people have been creating community-reviewed patches for Win98 and Win2K (perhaps others) - usually back-ported from MS's own patches for newer systems - for years and will doubtless be starting to do the same for XP now.

I didn't know about this. If they do start making patches for XP, and if they are able to keep up with the threats, this could be the answer.

Rui, that exploit is currently being exploited on IE 9-11 where Flash ActiveX is enabled, it's a targeted at a specific group of users, as far as I can tell; no reports of it having hit XP users has yet emerged.

So let's see: XP users who are actually using IE rather than already using something more appropriate can protect themselves by disabling vgx.dll (as can any other IE users on other Windows systems). So the main headline is that XP users who DO use IE and DON'T bother disabling vgx.dll won't have their bacon saved by the emergency patch, right?

Since I haven't used IE for many years this does seem like a tempest in a teapot to me, but in any event it's certainly not an example of an XP vulnerability that can't be mitigated to leave XP every bit as safe as it was a month ago.

So let's see: XP users who are actually using IE rather than already using something more appropriate can protect themselves by disabling vgx.dll (as can any other IE users on other Windows systems). So the main headline is that XP users who DO use IE and DON'T bother disabling vgx.dll won't have their bacon saved by the emergency patch, right?

No, disabling vgx.dll and installing the patch are alternatives. Doing both is fine too. But disabling vgx.dll was the immediate workaround before the patch was available.

Originally Posted by - bill

Since I haven't used IE for many years this does seem like a tempest in a teapot to me, but in any event it's certainly not an example of an XP vulnerability that can't be mitigated to leave XP every bit as safe as it was a month ago.

Good chance for 'yes' there too (there are often mitigation procedures available to use), though by no means a lock. The latter possibility was the whole point of the exercise I described about testing against current malware using good up-to-date browsers and third-party security software (and a hardware router with integral firewall) on top of an XP system unpatched for the last year or two: to see just how important XP security patches have been any time lately in a reasonably well-set-up environment as a guide to how important they're likely to be going forward.